ISSUE-114 (CORS-credentials): CORS does not define the effect of the credentials flag in sufficient detail [CORS]
http://www.w3.org/2008/webapps/track/issues/114
Raised by: Maciej Stachowiak
On product: CORS
It looks like the only actual statement about the effect of the credentials flag is:
"Whenever the make a request steps are applied, make a request to request URL, using method request method, entity body request entity body, including the custom request headers, and include credentials if the credentials flag is true (e.g. HTTP authentication data and cookies)."
There's two problems with this:
(1) It's not normatively defined what constitutes a credential.
(2) It says to include credentials when the credentials flag is true, but it doesn't say they must not be included when the credentials flag is false.
I think the credentials flag should specifically affect cookies, http authentication, and client-side SSL certs, but not proxy authentication (or, obviously, Origin).